Information security is a subject that has gained prominence in recent years, obtaining space in the media and becoming a commodity in companies of the most varied sizes and segments. In contrast, it is important to emphasize that the popularization of the term Information Security (sometimes shortened to InfoSec or IS) was motivated by the increase in the number of security incidents occurring worldwide. The disturbances generated by these incidents are diverse, generating from damage to the business image to leakage of critical information, which can lead to substantial financial losses.
The increase in the number of occurrences has been influencing the perception of value on investments in IS, and causes companies to seek the structuring of processes to ensure that their business is protected against the most varied types of virtual threats.
Amid this scenario, the international standard ISO/IEC 27002 has emerged, focusing on good practices for the management of information security. Nowadays it is fundamental for the consolidation of an Information Security Management System (ISMS), guaranteeing the continuity and keeping of security processes, aligned with the strategic goals of the organization. Next, know the main characteristics of the standard, as well as the benefits associated with its implementation:
What is ISO 27002?
In 1995, the international organizations ISO (The International Organization for Standardization) and IEC (International Electrotechnical Commission) gave rise to a group of standards that consolidate the guidelines related to the scope of Information Security, represented by the 27000 series. This group includes ISO/IEC 27002 (former 17799:2005 standard), an international standard setting out best practice code to support the implementation of the Information Security Management System (ISMS) in organizations.
By providing a complete implementation guide, it describes how controls can be established. These controls, in turn, should be chosen based on a risk assessment of the company’s most important assets. Contrary to what many managers think, ISO 27002 can be used to support the implementation of ISMS in any kind of small or large, public or private, For-profit or Nonprofit organization; and not only in technology companies.
What are its goals?
The main goal of ISO 27002 is to establish guidelines and general principles for starting, implementing, maintaining and improving the management of information security in an organization. This also includes selection, implementation and management of controls, taking into account the risk environments found in the company.
ISO 27002: benefits for companies?
The advantages provided by ISO 27002 certification are representative for companies, mainly because they are worldwide recognized. Know some benefits associated with applying the standard:
- Better awareness of information security;
- Greater control of sensitive assets and information;
- Provides an approach for implementation of control policies;
- Opportunity to identify and correct weaknesses;
- Reducing the risk of liability for not implementing an ISMS or determining policies and procedures;
- It becomes a competitive differential for the achievement of customers who value certification;
- Better organization with well-designed and managed processes and mechanisms;
- Promotes cost reduction with prevention of information security incidents;
- Compliance with legislation and other regulations.
What are the main items that comprise ISO 27002?
The main part of the standard is set across the following sections, which correspond to information security controls. It is worth remembering that the organization can use these guidelines as a basis for the development of the ISMS. As follows:
Section 5 – Information Security Policy
A document should be created on the company’s information security policy, containing the concepts of information security, a structure to establish goals and forms of control, management’s commitment to policy, among many other factors.
Section 6 – Organizing the Information Security
In order to implement Information Security in a company it is necessary to establish a framework to manage it properly. For this, information security activities should be coordinated by representatives from the organization, who must have well-defined responsibilities, protecting information of a confidential nature.
Section 7 – Asset Management
Asset, according to the norm, is anything that has value to the organization and which needs to be protected. For this, the asset must be identified and classified so that an inventory can be structured and subsequently maintained. In addition, they must follow documented rules, which define what kind of use is allowed for those assets.
Section 8 – Human Resource Security
Before hiring employees – or even suppliers -, it is important that they are properly analyzed, especially if they are dealing with sensitive information. The intent of this section is to mitigate the risk of theft, fraud or misuse of resources. When some employees are working in the company, they should be aware of the threats regarding information security, as well as their responsibilities and obligations.
Section 9 – Physical and environmental safety
Equipment and facilities for critical or sensitive information processing must be maintained in secure areas, with appropriate levels and access controls, including protection against physical and environmental threats.
Section 10 – Operations and Communications Security
It is important to be defined the procedures and responsibilities for the management and operation of all information processing resources. This includes outsourced service management, system resource planning to minimize the risk of failures, creation of backup and recovery procedures, and secure administration of communications networks.
Section 11 – Access Control
Access to information, as well as information processing resources and business processes, should be controlled based on business requirements and information security. Authorized user access as well as prevented unauthorized access to information systems should be ensured, in order to avoid damage to documents and information processing resources that are available to anyone.
Section 12 – Acquisition, development and maintenance of systems
The requirements of information systems security must be identified and agreed upon prior to their development and/or implementation, so that they can be protected in order to maintain their confidentiality, authenticity or integrity by cryptographic means.
Section 13 – Information Security Incident Management
Formal registration and escalation procedures must be established; employees, suppliers and third parties should be aware of the procedures for reporting information security events to ensure that they are reported as quickly as possible and corrected in a timely manner.
Section 14 – Business Continuity Management
Business continuity plans should be developed and implemented to prevent disruption of business activities as well as to ensure that core operations are quickly recovered.
Section 15 – Compliance
It is important to avoid the violation of any criminal or civil law, ensuring statutes, regulations or contractual obligations as well as any information security requirements. If necessary, the company may hire a specialized consultancy to verify its compliance and adherence to legal and regulatory requirements.
An important step for Information Security in corporate environments
Following the principles of ISO/IEC 27002 certification is a highly relevant step for ensuring information security in companies. In this sense, it is primordial to emphasize the importance of companies having certified professionals in their safety teams, giving greater support to the process of implementation of good practices related to the norm, as well as obtaining ISO 27001 certification.
Are you already ISO 27002 certified? Share your experience in the comments.
ABNT- Brazilian Association of Technical Standards. NBR ISO/IEC 27002 – Information technology – Security techniques – Code of practice for the management of information security. Rio de Janeiro, ABNT, 2005.